Presentation is loading. Please wait.

Presentation is loading. Please wait.

NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard.

Published byGavin Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard."— Presentation transcript:

1 NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard

2 Presentation Overview Definition Amplifier Target Bounce Verification Technologies Issues to Consider Questions

3 Joe Doll Attack on Joe Doll, webmaster of Joe's Cyberpost. User had their account removed for advertising spam In retaliation, forged an email from Joe Doll Caused joes.com to be DoS’ed [Jan 1997] Also defined in Wayne's World as a sub-standard job

4 Definition Your email address/domain used as the envelope sender in a spam run. Your mail systems end up receiving bounce messages vacation/out-of-office notices challenge-responses etc. Resulting in huge mail gateway, server and administrative overhead

5 Envelope Headers $ telnet 192.168.1.1 25 Connected to 192.168.1.1 Escape character is '^]'. helo dm220-mail70.yourcompany.com ESMTP 220 Welcome to yourcompany.com’s email system helo domain.com 250 mail70.yourcompany.com mail from: jane@domain.com 250 sender ok rcpt to: tracey@yourcompany.com 250 recipient ok data 354 go ahead

6 Email Structure

7 Why am I being Joe Job’ed The spammer is using your credentials to legitimise their marketing campaign -Spam -Phishing Discredit your company (Competitive sabotage) Random – In order to bypass reverse DNS lookup controls. Side-effect of a mass-mailing virus Blatant Denial of Service

8 Amplifier

9 How Amplification Works

10 Amplifier Implications Addition to a DNSBL (MAPS/Spamhaus/Spamcop) Denial of Service Leaking of sensitive information

11 Amplification of NDR’s Gateway accepts all email and relies on downstream servers to generate the NDR (non-delivery report) RFC-821 requires an NDR for unsuccessful deliveries to a final destination 1.Notification to failed recipient + reason for the failure 2.Above + original email (or part of it) 3.Above + original email + all attachments

12 Further Amplification of NDR’s For NDR's of messages sent to multiple recipients, RFC-821 provides two options 1.A single notification which lists all failed recipients of that failed message 2.Separate notification for each failed recipient

13 NDR Payload Payload -Viruses -Spam -Large files -Zip-bombs "With 105 outbound emails (containing 1000 invalid recipients) totalling 3.60MB of traffic we caused the mail servers under study to generate more than 80,000 emails, totalling 1.15GB of traffic" http://www.techzoom.net/paper-mailbomb.asp?id=mailbomb

14 Lessening The Noise Hard bounce mail for invalid recipients at the gateway Limit the maximum number of recipients per message Generate minimalistic NDR’s Generate one NDR for all failed recipients Send bounces from a server you can afford to have blacklisted Disable NDR’s altogether… (maybe not)

15 Target

16 Target of a Phishing Attack

17 Example Phishing Message mail-from: admin@bank.comadmin@bank.com rcpt-to: users@domains subject: Your Account Details Dear BANK.com Customer, In an effort to continually measure the service quality give to New Zealand and Australia, BANK.com members were sent out random survey asking valuable feedback on how we are doing and how we can approve. There are only a few questions to score and only take few minutes of your time Your patience will be rewarded with $20 direct deposit to your account and your name will automatically be entered into our quarterly drawing for $2500 grand prize If you are ready for feedback, go to http://wwwwbank.com/bankmain.php. If this link does not work, just copy and paste it into your browser Thank You! Sincerely Yours, Board of Directors BANK.com BANK.com

18 Implications for the Target Denial of Service User inbox restrictions Mail queues exploding / mail delays Unhappy users

19 Invalid Users Accept mail for valid users only local_recipient_maps (postfix) Recipient Access Table (Ironport RAT) LDAP integration Sometimes we don’t know who our valid users are or it can be too expensive to maintain. Backend user directory incompatible with front-end MTA This will stop backscatter for invalid addresses… What about valid ones?

20 Valid Users Message Headers Received-from Message-ID Looking for signs that it didn’t actually leave your network in the first place Resource Intensive

21 Bounce Verification Technologies We can’t rely on session verification techniques e.g. SPF Bounce Verification BATV (Bounce Address Tag Validation) Authbounce ABBS (Anti-Bogus-Bounce-Scheme) SES (Signed Envelope Sender)

22 BATV (Bounce Address Tag Validation)

23 BATV Specification The envelope sender address is signed. mail-from: mailbox@domain.com becomesmailbox@domain.com mail-from: prvs=mailbox/tag-val@domain.comprvs=mailbox/tag-val@domain.com tag-val = K DDD SSSSSS -K = key number -DDD = low 3 digits of the number of days since 1970 when the address will expire -SSSSSS = Hex of the first three bytes of the SHA-1 HMAC of and a key -hash-source = K DDD -orig-mailfrom = {original RFC2821.MailFrom address}

24 BATV cont… Supported on the following MTAs netqmail Ironport AsyncOS Exim Documentation available for other MTAs Pursuing IETF standardisation

25 How Authbounce works

26 Authbounce for Exim Addition of a signed X-Header: X-bounce-key: example.net-1;you@example.com;1077198109;fb7e6ffa; (1) (2) (3) (4) 1.A key identifier, typically the ISP's domain plus a number. 2.The E-mail address to which a bounce may be sent. 3.The time when the message was sent out. Bounces older than a certain age are ignored. 4.32-bit cryptographic checksum, calculated as a hash over (1), (2), (3) and a secret value

27 ABBS (Anti-Bogus-Bounce-Scheme) Similar to BATV Signed envelope sender mail-from: user-b@b.example.com becomesuser-b@b.example.com mail-from: user-b=timestamp-hmac@b.example.comuser-b=timestamp-hmac@b.example.com -timestamp is time() -hmac is HMAC-SHA1-nn -Timeout defaults to 1296000 seconds (15 days) -Supported in qmail safari

28 SES (Signed Envelope Sender) Challenge response system for SMTP UDP call back service Send hash value to the server that claims to have originated the message If the query is positive, mail is accepted as valid, if not, its rejected Website is dead, probably a good thing

29 Advantages / Disadvantages BATV  Modifies the envelope sender address Stops invalid bounces after the rcpt-to header is received Authbounce Doesn’t modify the envelope sender address  More overhead as X-headers need to be processed ABBS BATV for qmail with a few differences SES project is dead?

30 Security Considerations Cryptographic weaknesses Replay attacks

31 Issues to Consider Too many different standards, none settled on CPU overhead for large mail volumes All outbound messages tagged, all inbound checked Greylisting (451) Mail-listings validate on envelope sender Challenge-Response systems

32 More Issues… Legitimate DSNs are rejected unless the original mail has been sent via your server Roaming users…

33 Knowing Your Environment Which servers send out email?

34 Conclusion Know and control your environment Determine if you are an amplifier Decide which technology fits best Implement technology before you are targeted

35 Conclusion You don’t want to be hacking up custom Sendmail rules at 3:00am Kphishsrc regex -a@MATCH ^(customercare|customerssupport|customersupport| custservice|custsupport|infonum|online_support|o nlinesupport|operate|operator|reference|support| supprefnum)(\-ref|\_ref|\- reference|\_reference|\-id|\_id)?(\-|\_)?[0-9]+$ SLocal_check_rcpt R$* $: $>Parse0 $>3 $1 R$+ $* $: $(phishsrc $1 $)

36 Questions?

37 References ABBS - http://msgs.securepoint.com/cgi-bin/get/qmail0403/161.htmlhttp://msgs.securepoint.com/cgi-bin/get/qmail0403/161.html Anti-Phishing Workging Group: http://www.antiphishing.org/phishing_archive.htmlhttp://www.antiphishing.org/phishing_archive.html Anti-spam Email Research http://spamlinks.net/prevent-research.htmhttp://spamlinks.net/prevent-research.htm Authbounce - http://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txthttp://psg.com/%7Ebrian/software/authbounce/configure-authbounce.txt BATV - http://mipassoc.org/batv/http://mipassoc.org/batv/ Mail Non-Delivery Notice Attacks: http://www.techzoom.net/paper-mailbomb.asp?id=mailbombhttp://www.techzoom.net/paper-mailbomb.asp?id=mailbomb Postfix Backscatter Howto: http://www.postfix.org/BACKSCATTER_README.htmlhttp://www.postfix.org/BACKSCATTER_README.html Signed Envelope Sender: http://www.advogato.org/proj/Signed%20Envelope%20Sender/http://www.advogato.org/proj/Signed%20Envelope%20Sender/ Sender Policy Framework http://www.openspf.org/http://www.openspf.org/ Signed Return Address: http://www.tuffmail.com/backscatter.phphttp://www.tuffmail.com/backscatter.php Why are auto responders bad? : http://www.spamcop.net/fom-serve/cache/329.htmlhttp://www.spamcop.net/fom-serve/cache/329.html

Download ppt "NZNOG ’07 ‘Dealing with Joe Jobs’ or how to cope with spam backscatter attacks Simon Howard."

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
TrustPort Net Gateway Email traffic protection. WWW.TRUSTPORT.COM Keep It Secure Entry point protection –Clear separation of the risky internet and secured.

TrustPort Net Gateway traffic protection. Keep It Secure Entry point protection –Clear separation of the risky internet and secured.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
SMTP – Simple Mail Transfer Protocol

SMTP – Simple Mail Transfer Protocol
Preventing Spam: Today and Tomorrow Zane Bonny Vilaphong Phasiname The Spamsters!

Preventing Spam: Today and Tomorrow Zane Bonny Vilaphong Phasiname The Spamsters!
0 EMAIL 5000 Series DATA MANAGEMENT. 1 Why Email? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.
Chapter 30 Electronic Mail Representation & Transfer

Chapter 30 Electronic Mail Representation & Transfer
Broadcast email service Core tools. Agenda 1.Introduction – email tool and its main features 2.Setting up and sending a simple broadcast email 3.Achieving.

Broadcast service Core tools. Agenda 1.Introduction – tool and its main features 2.Setting up and sending a simple broadcast 3.Achieving.
SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.

SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.

Empirical Analysis of Denial of Service Attack Against SMTP Servers Boldizsár BENCSÁTH, Laboratory of Cryptography and System Security (CrySyS) Budapest.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.

Similar presentations

Ads by Google